So, the iThemes site was hacked
On September 23rd, the iThemes team announced that their website had been attacked and their database was compromised. Now, before I dig into that, you may have heard of iThemes in one of two places:
- You use their theme framework to power your WordPress theme.
- You use the iThemes Security plugin.
For me, it was the latter. So when I heard that their site was hacked, my first reaction was to chuckle a little. How embarrassing. You create a WordPress security plugin—and even sell a “pro” version of it for $80+—and yet your own site gets hacked.
Yes, I laughed a little. But you know what, I figured: it could happen to anyone. No matter how much protection you put around your site, people are still going to try to find a way to weasel in. I totally get that. I help run a super large gaming fan site that gets millions of hits per month, and we were CONSTANTLY targeted by hackers because of our tempting database full of usernames and passwords. And even with awesome coders and server admins looking after us, we still got hacked a couple times.
However, it was the second update that led me to create this post.
iThemes stores passwords in plain text
This is something you JUST DON’T DO.
Normally when you store usernames and passwords, the passwords are encrypted. So if someone were to get ahold of your database, they would see the username in plain text (just like “nosegraze”) but then the password WOULDN’T be stored in plain text. Let’s say your password was “skittles”. It wouldn’t actually be stored in the database as “skittles”. Instead, it would be encrypted and then the encrypted version would be stored. So in the database, you would see something like “27c07e1c9bcd1ac7e5e995ed92534d77”. But you can’t actually login with that value, so it’s useless to a hacker. Yes they could work to break the encryption, but that’s a lot more difficult…
It’s just common knowledge that unless you’re being very insecure, you don’t store passwords in plain text. And yet, iThemes did.
There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current.
What Does Plain Text Mean?
This means that the passwords were not protected as they should have been. They were not hashed, salted or any combination of techniques. This means if the attacker was able to see / save the passwords they have a new username / password list.
Cory Miller, iThemes
Honestly, if I were Cory Miller I’d want to bury my head in the sand, quit online life, and become a solitary citrus farmer. It’s pretty appalling that someone who SELLS a security plugin would have passwords stored in plain text since 2009. That’s one of the worst security mistakes there is and there’s no excuse for it. I wouldn’t want to buy a security plugin run by people who don’t do their own security correctly.
Does this make you lose faith in iThemes Security?
I don’t know about you, but I now look at iThemes security with a lot more scepticism. If they fucked up their own site so badly, how can any of us be confident that the iThemes Security plugin is properly doing its job? Luckily for me, I take many of my own security measures and don’t rely too heavily on the plugin. But if this plugin is all you use, how do you feel about it now?
Note: this doesn’t actually affect the WordPress plugin
Just a disclaimer, the iThemes website getting hacked doesn’t actually affect the iThemes Security plugin at all. This does not mean the hackers suddenly have your WordPress login details. This attack was only made on the iThemes website, which stored login information, IP addresses, and receipts for purchases made through their website.
Yikes! How scary D: So many stories about hacks these days…
I know. 🙁 I’ve heard of a few book bloggers being hacked as well. These hackers need to get a life!
Wow, plain text password storage. I just…how…I don’t even know how a SECURITY plugin could think that is okay. I even know you have to encrypt passwords.
I know, it’s absurd! And they’ve been doing this for like FIVE YEARS! Even back when it started (2009) it was common knowledge that you just don’t store passwords in plain text. You don’t do it. I can’t believe they had to wait until they got hacked to address this.
Scary stuff this. I was using the Ithemes plugin for a while, but after breaking my site with it once I deactivated it. I just didn’t understand enough about it to use it well. I even removed it from my site yesterday in an attempt to fix another issue I was having. After reading this I don’t think I’ll use it ever again.
Yeah I had it installed on Nose Graze even though I didn’t really need it (because I have my own security stuff that I add). But I actually removed and deleted iThemes Security about a month ago, and now this new makes me feel like I made the right choice.
I hadn’t heard of this company before but wow, someone is probably out of a job right about now 😛
Seriously. I can’t imagine who will want to PAY for the pro version of their theme ever again. I wonder how much their revenue will drop.
Wowowwwwww this really makes me have ZERO faith in the iThemes team. I used the iThemes WP plugin back when it was called something else, but switched out to a different security plugin after it changed and I had some problems with it. I’m glad I did – even though this doesn’t *affect* the WP plugin, it does make me question how secure that plugin actually is. O_O
Exactly!! I know the iThemes Security plugin is free, but there is a pro version. I bet everyone who paid for that pro version is feeling pretty cheated right about now… Even if the iThemes Security plugin does its job, I still wouldn’t want to use it. No one can release a security plugin (and CHARGE for a pro version) but not implement BASIC security measures on their own site… >_<
Wow. Not good. I think I probably would have lost faith, but then again I suppose after they’ve learned their lesson they probably would be pretty good after that. Who’s to say you change to someone else who hasn’t learned their lesson yet? Luckily I don’t have to think about it, I don’t have iThemes… or at least I don’t think I do. I must go check to make sure. LOL
Ugh, I use them. Truth be told, their settings dashboard is a pain in the ass anyway, and I really only need maybe 30% of what they offer: things like obscuring the login page to prevent brute force attempts, locking out brute force peeps, and a few other things. A lot of it would lock me out of my own site on occasion (has already happened LOL).
I’m sure I’m fine since we use the free version, but it makes me wonder if they are encrypting the information backed up via the plugin.
Yeah their settings panel was always a mess. I used iThemes Security on one of my other sites and deleted it recently. My own account kept getting locked out because someone else was failing at the password.. and fair enough, that’s not their fault. BUT! …
I deleted all of the active lockouts in the database (meaning no one should be locked out), then tried to login… and I was still locked out! But their “lockouts” table in the database was now empty O_O So I deactivated the plugin via FTP by renaming it… and I was STILL locked out! Who knows that the fuck that plugin was doing.
I had to actually create a new admin user through the database in order to login and delete that stupid plugin. Talk about nuts.
*facepalm* This is totally absurd… Could that be a bug? Maybe passwords were supposed to be encrypted and somewhere, some time, some guys commented out that line (ok, a few lines) and the passwords ended up in clear in the DB? Yeah, I’m being imaginative. I just can’t get it. It’s like a cop driving drunk at 180km/h. Or a politician swearing around in the street while smoking weed. It can only be a joke, right?
I generally don’t trust popular companies selling security. “Popular” and “safe” don’t go well together. I didn’t use iThemes Security, and now I know I won’t 🙂
Nope, definitely not a bug. In the post they kind of came clean and said that the membership system they were using since 2009 stored passwords in plain text. They knew it, and were basically too lazy to do anything about it, so they just left it like that.
So, er, that is a security service that uses an external membership system and doesn’t fix its identified security (massive) breach.
Now, this is between hilarious and tragic. 🙂
Yep absolutely. I felt bad for them until they did a second post and announced this password thing… now it’s just embarrassing.
I use Wordfence and have been delighted with their protection. They encrypt everything.
It didn’t even occur to me that I would have to secure my WordPress site. o_o I just installed Wordfence. (As you may have noticed I didn’t go with iThemes.) Thanks for writing up this post!
Absolutely! Would you leave you front door or car unlocked? It’s the same with everything online! You need to secure your online accounts and websites as much as possible. I suggest you read some of my posts about security for a few more tips!